Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping secrets in your infrastructure pipeline

Be8b596c46f4c9a1aec6a7586af33134?s=47 Rosemary Wang
December 09, 2020

Keeping secrets in your infrastructure pipeline

Presented at GitHub Universe, December 9, 2020.

You’ve set up your infrastructure as code in GitHub Actions to securely test and deploy to production. One year later, you discover the account keys you used for automation have been compromised! In a panic, you scramble around multiple repositories looking for where you used the account keys and throw together a script to rotate them. You start to wonder, “is there a better way I could have managed my secret?” In this talk, you’ll learn how to manage secrets in your infrastructure pipeline using HashiCorp Vault and Terraform with GitHub Actions. By using Vault’s dynamic secrets engines, you can rotate, audit, and manage the lifecycle of your infrastructure account keys and API tokens. In addition to managing service account keys for Terraform automation, we’ll cover how Vault can generate secrets such as database passwords for creating infrastructure resources.

Be8b596c46f4c9a1aec6a7586af33134?s=128

Rosemary Wang

December 09, 2020
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. Copyright © 2020 HashiCorp Keeping Secrets in your Infrastructure Pipeline

    GitHub Universe | December 2020
  2. Infrastructure Pipeline Continuous Integration pipeline for infrastructure as code. @joatmon08

  3. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS
  4. These secrets are a year old… I think? @joatmon08

  5. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS I COMMITTED THE DATABASE PASSWORD TO GITHUB!
  6. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08

  7. Rosemary Wang (She/Her) Developer Advocate at HashiCorp joatmon08.github.io @JOATMON08 JOATMON08

    LINKEDIN.COM/IN/ ROSEMARYWANG
  8. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates) Generated Secrets Created by infrastructure pipeline (e.g., random passwords or tokens)
  9. Service Accounts Logs into infrastructure provider (e.g., service account keys

    or API tokens) Resource Attributes Passed to infrastructure resources (e.g., database passwords or certificates)
  10. Use a Secrets Manager @joatmon08

  11. Plan R 1.Regret 2.Revoke 3.Rotate 4.Reference 5.Replace 6.Re-run @joatmon08 Secrets

    Manager Pipelines You!
  12. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AUTHENTICATE TO SECRETS MANAGER SECRETS INJECTION
  13. @joatmon08 PLAN SECURITY TESTS UNIT TESTS APPLY BUILD & DEPLOY

    INTEGRATION TESTS GET SECRETS AT PATH AUTHENTICATE TO VAULT VAULT GITHUB ACTION SECRETS INJECTION
  14. @joatmon08 HCP (VAULT ON AWS) AMAZON WEB SERVICES AWS RDS

    (POSTGRESQL) Key Value Secrets Engine GITHUB AppRole Auth Method Database Secrets Engine GET READ-ONLY CREDENTIALS FOR APPLICATION Infrastructure Pipeline AWS Secrets Engine /PIPELINE /BOOTSTRAP /AWS /CREDS /PIPELINE TOKEN CREATE MANAGED DATABASE LOG INTO VAULT WITH PIPELINE ROLE AND SECRET AWS STS PEERED NETWORKS (PRIVATE)
  15. github.com/joatmon08/ infrastructure-pipeline @joatmon08

  16. References ▪ github.com/hashicorp/vault-action ▪ learn.hashicorp.com/tutorials/terraform/github-actions ▪ hashicorp.com/cloud-platform ▪ vaultproject.io/docs/secrets/aws ▪

    vaultproject.io/docs/secrets/kv ▪ vaultproject.io/docs/secrets/databases/postgresql ▪ hashicorp.com/resources/secure-gitops-workflows-with-github-actions- and-hashicorp-vault @joatmon08